Low-power encryption apparatus and method

1. A low-power plaintext encryption apparatus comprising: a plaintext input chip configured to receive from a user a plaintext P which is a concatenation of a plurality of sub-plaintexts each having a same length of bits; a mask value generation chip configured to generate a mask value M having a bit length identical to that of input round function values generated from the plurality of sub-plaintexts received from the plaintext input chip; a mask value application chip configured to generate first masking round function values by applying the mask value M to each of the input round function values; a round key application chip configured to generate second masking round function values by applying round key values to the first round function values; a mask operation chip configured to generate third masking round function values by performing a mask addition operation on the second masking round function values; a shift operation chip configured to generate fourth masking round function values by performing a circular shift operation on the third masking round function values; a shift operation correction chip configured to generate output round function values by performing an operation using the mask value M on the fourth masking round function values, and a plaintext output chip configured to output an encrypted plaintext P′ having a same length of bits by concatenating the output round function values, wherein the input round function values are an input round function value X i [0], an input round function value X i [1], an input round function value X i [2], and an input round function value X i [3], wherein the mask value application chip: generates a first masking round function value X i — 1 [0] from the input round function value X i [0] and the mask value M based on an equation “X i — 1 [0]=X i [0]⊕M”; generates a first masking round function value X i — 1 [1] from the input round function value X i [1] and the mask value M based on an equation “X i — 1 [1]=X i [1]⊕M”; generates a first masking round function value X i — 1 [2] from the input round function value X i [2] and the mask value M based on an equation “X i — 1 [2]=X i [2]⊕M”; and generates a first masking round function value X i — 1 [3] from the input round function value X i [3] and the mask value M based on an equation “X i — 1 [3]=X i [3]⊕M”; wherein ⊕ is an exclusive OR (XOR) operator, and wherein the round key values are a round key value RK i [0], a round key value RK i [1], a round key value RK i [2], a round key value RK i [3], a round key value RK i [4], and a round key value RK i [5].

2. The low-power encryption apparatus of claim 1 , wherein the round key application chip: generates a second masking round function value X i — 2 [0] from the first masking round function value X i — 1 [0] and the round key value RK i [0] based on an equation “X i — 2 [0]=X i — 1 [0]⊕RK i [0]”; generates a second masking round function value X i — 2 — 1 [1] from the first masking round function value X i — 1 [1] and the round key value RK i [1] based on an equation “X i — 2 — 1 [1]=X i — 1 [1]⊕RK i [1]”; generates a second masking round function value X i — 2 — 2 [1] from the first masking round function value X i — 1 [1] and the round key value RK i [2] based on an equation “X i — 2 — 2 [1]=X i — 1 [1]⊕RK i [2]”; generates a second masking round function value X i — 2 — 1 [2] from the first masking round function value X i — 1 [2] and the round key value RK i [3] based on an equation “X i — 2 — 1 [2]=X i — 1 [2]⊕RK i [3]”; generates a second masking round function value X i — 2 — 2 [2] from the first masking round function value X i — 1 [2] and the round key value RK i [4] based on an equation “X i — 2 — 2 [2]=X i — 1 [2]⊕RK i [4]”; and generates a second masking round function value X i — 2 [3] from the first masking round function value X i — 1 [3] and the round key value RK i [5] based on an equation “X i — 2 [3]=X i — 1 [3]⊕RK 1 [5].”

3. The low-power encryption apparatus of claim 2 , wherein the mask operation chip: generates a third masking round function value X i — 3 [1] by performing the mask addition operation, satisfying an equation “(A⊕M)⊙(B⊕M)=(A+B)⊕M,” on the second masking round function value X i — 2 [0] and the second masking round function value X i — 2 — 1 [1]; generates a third masking round function value X i — 3 [2] by performing the mask addition operation on the second masking round function value X i — 2 — 2 [1] and the second masking round function value X i — 2 — 1 [2]; and generates a third masking round function value X i — 3 [3] by performing the mask addition operation on the second masking round function value X i — 2 — 2 [2] and the second masking round function value X i — 2 [3]; wherein ⊙ is a mask addition operator, and each of A⊕M and B⊕M is a second masking round function value to which the mask value M has been applied.

4. The low-power encryption apparatus of claim 3 , wherein the shift operation chip: generates a fourth masking round function value X i — 4 [1] from the third masking round function value X i — 3 [1] based on an equation “X i — 4 [1]=ROL 9 (X i — 3 [1])”; generates a fourth masking round function value X i — 4 [2] from the third masking round function value X i — 3 [2] based on an equation “X i — 4 [2]=ROR 5 (X i — 3 [2])”; and generates a fourth masking round function value X i — 4 [3] from the third masking round function value X i — 3 [3] based on an equation “X i — 4 [3]=ROR 3 (X i — 3 [3])”; wherein ROL a (x) is a function that circularly shifts “x” to a left by “a” bits and then outputs a result, and ROR a (x) is a function that circularly shifts “x” to a right by “a” bits and then outputs a result.

5. The low-power encryption apparatus of claim 4 , wherein the shift operation correction chip: generates an output round function value X i+1 [0] from the fourth masking round function value X i — 4 [1] and the mask value M based on an equation “X i+1 [0]=X i — 4 [1]⊕{M⊕ROL 9 (M)}”; generates an output round function value X i+1 [1] from the fourth masking round function value X i — 4 [2] and the mask value M based on an equation “X i+1 [1]=X i — 4 [2]⊕{M⊕ROR 5 (M)}”; generates an output round function value X i+1 [2] from the fourth masking round function value X i — 4 [3] and the mask value M based on an equation “X i+1 [2]=X i — 4 [3]⊕{M⊕ROR 3 M}”; and generates an output round function value X i+1 [3] from the first masking round function value X i — 1 [0] based on an equation “X i+1 [3]=X i — 1 [0].”

6. A low-power encryption method comprising: receiving, by a plaintext input chip, from a user a plaintext P which is a concatenation of a plurality of sub-plaintexts each having a same length of bits; generating, by a mask value generation chip, a mask value M having a bit length identical to that of input round function values generated from the plurality of sub-plaintexts received from the plaintext input chip; generating, by a mask value application chip, first masking round function values by applying the mask value M to each of the input round function values; generating, by a round key application chip, second masking round function values by applying round key values to the first round function values; generating, by a mask operation chip, third masking round function values by performing a mask addition operation on the second masking round function values; generating, by a shift operation chip, fourth masking round function values by performing a circular shift operation on the third masking round function values; generating, by a shift operation correction chip, output round function values by performing an operation using the mask value M on the fourth masking round function values, and outputting, by a plaintext output chip, an encrypted plaintext P′ having a same length of bits by concatenating the output round function values, wherein the input round function values are an input round function value Xi[0], an input round function value X i [1], an input round function value X i [2], and an input round function value X i [3], wherein generating the first masking round function values includes: generating a first masking round function value X i — 1 [0] from the input round function value X i [0] and the mask value M based on an equation “X i — 1 [0]=X i [0]⊕M”; generating a first masking round function value X i — 1 [1] from the input round function value X i [1] and the mask value M based on an equation “X i — 1 [1]=X i [1]⊕M”; generating a first masking round function value X i — 1 [2] from the input round function value X i [2] and the mask value M based on an equation “X i — 1 [2]=X i [2]⊕M”; and generating a first masking round function value X i — 1 [3] from the input round function value X i [3] and the mask value M based on an equation “X i — 1 [3]=X i [3]⊕M”; wherein ⊕ is an XOR operator, and wherein the round key values are a round key value RK i [0], a round key value RK i [1], a round key value RK i [2], a round key value RK i [3], a round key value RK i [4], and a round key value RK i [5].

7. The low-power encryption method of claim 6 , wherein generating the second masking round function values includes: generating a second masking round function value X i — 12 [0] from the first masking round function value X i — 1 [0] and the round key value RK i [0] based on an equation “X i — 2 [0]=X i — 1 [0]⊕RK i [0]”; generating a second masking round function value X i — 2 — 1 [1] from the first masking round function value X i — 1 [1] and the round key value RK i [1] based on an equation “X i — 2 — 1 [1]=X i — 1 [1]⊕RK i [1]”; generating a second masking round function value X i — 2 — 2 [1] from the first masking round function value X 1 — 1 [1] and the round key value RK i [2] based on an equation “X i — 2 — 2 [1]=X i — 1 [1]⊕RK i [2]”; generating a second masking round function value X i — 2 — 1 [2] from the first masking round function value X i — 1 [2] and the round key value RK i [3] based on an equation “X i — 2 — 1 [2]=X i — 1 [2]⊕RK i [3]”; generating a second masking round function value X i — 2 — 2 [2] from the first masking round function value X i — 1 [2] and the round key value RK i [4] based on an equation “X i — 2 — 2 [2]=X i — 1 [2]⊕RK i [4]”; and generating a second masking round function value X i — 2 [3] from the first masking round function value X i — 1 [3] and the round key value RK i [5] based on an equation “X i — 2 [3]=X i — 1 [3]⊕RK i [5].”

8. The low-power encryption method of claim 7 , wherein generating the third masking round function values includes: generating a third masking round function value X i — 3 [1] by performing the mask addition operation, satisfying an equation “(A⊕M)└(B⊕M)=(A+B)⊕M,” on the second masking round function value X i — 2 [0] and the second masking round function value X i — 2 — 1 [1]; generating a third masking round function value X i — 3 [2] by performing the mask addition operation on the second masking round function value X i — 2 — 2 [1] and the second masking round function value X i — 2 — 1 [2]; and generating a third masking round function value X i — 3 [3] by performing the mask addition operation on the second masking round function value X i — 2 — 2 [2] and the second masking round function value X i — 2 [3]; wherein ⊙ is a mask addition operator, and each of A⊕M and B⊕M is a second masking round function value to which the mask value M has been applied.

9. The low-power encryption method of claim 8 , wherein generating the fourth masking round function values includes: generating a fourth masking round function value X i — 4 [1] from the third masking round function value X i — 3 [1] based on an equation “X 1 — 4 [1]=ROL 9 (X i — 3 [1])”; generating a fourth masking round function value X i — 4[2 ] from the third masking round function value X i — 3 [2] based on an equation “X i — 4 [2]=ROR 5 (X i — 3 [2])”; and generating a fourth masking round function value X i — 4 [3] from the third masking round function value X i — 3[3 ] based on an equation “X i — 4 [3]=ROR 3 (X i — 3 [3])”; wherein ROL a (x) is a function that circularly shifts “x” to a left by “a” bits and then outputs a result, and ROR a (x) is a function that circularly shifts “x” to a right by “a” bits and then outputs a result.

10. The low-power encryption method of claim 9 , wherein generating the output round function values includes: generating an output round function value X i+1 [0] from the fourth masking round function value X i — 4 [1] and the mask value M based on an equation “X i+1 [0]=X i — 4 [1]⊕{M⊕ROL 9 (M)}”; generating an output round function value X i+1 [1] from the fourth masking round function value X i — 4 [2] and the mask value M based on an equation “X i+1 [1]=X i — 4 [2]⊕{M⊕ROR 5 (M)}”; generating an output round function value X i+1 [2] from the fourth masking round function value X i — 4 [3] and the mask value M based on an equation “X i+1 [2]=X i — 4 [3]⊕{M⊕ROR 3 M}”; and generating an output round function value X i+1 [3] from the first masking round function value X i — 1 [0] based on an equation “X i+1 [3]=X i — 1 [0].”